2.0.1 Segfault

Michael J. Hartwick hartwick at hartwick.com
Wed Jan 30 19:32:17 CET 2008


Hi,

I know that this post may not contain all of the required information, 
this is just to get things going while I investigate further.

I have had a problem with FreeRADIUS segfaulting intermittently for a 
number of months which makes it hard to gather the required 
information. The only thing that I found in all cases was the 
numerous, empty Cisco-AVPair's in the packet. With it being a segfault 
I suspect accessing a null pointer somewhere.

I have captured a packet that is causing this to occur and sure enough 
it contains the numerous, empty Cisco-AVPair's. I have started it in 
gdb now, the output of bt is below.

rad_recv: Accounting-Request packet from host w.x.y.z port 2903, id=213,
length=362
         Service-Type = Framed-User
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         Cisco-AVPair = ""
         NAS-Port-Type = Async
         Connect-Info = "3120"
         Calling-Station-Id = "NPANXXxxxx"
         X-Ascend-PreSession-Time = 41
         X-Ascend-Disconnect-Cause = Remote-End-Hung-Up
         Acct-Session-Id = "00004E39"
         Acct-Session-Time = 114
         Framed-IP-Address = W.X.Y.Z
         Acct-Link-Count = 1
         Acct-Authentic = RADIUS
         User-Name = "test at test.com"
         NAS-Port = 1060
         Called-Station-Id = "yyyxxxx"
         Framed-Protocol = PPP
         Acct-Terminate-Cause = User-Request
         Acct-Input-Packets = 53
         Acct-Output-Packets = 39
         X-Ascend-Data-Rate = 26400
         Acct-Delay-Time = 0
         Acct-Input-Octets = 1431
         Login-Service = PortMaster
         Acct-Output-Octets = 9084
         X-Ascend-Modem-SlotNo = 6
         X-Ascend-Xmit-Rate = 31200
         Acct-Status-Type = Stop
Segmentation fault

0x40297d8f in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0x40297d8f in memcpy () from /lib/libc.so.6
#1  0x400289c1 in rad_attr2vp (packet=0x8177678, original=0x0, secret=0x8169168 "secret",
     attribute=90, length=0, data=0x817887c "\004\006\n\001\001\226x\006\001\005")
     at radius.c:1953
#2  0x40028df4 in rad_decode (packet=0x8177678, original=0x0, secret=0x8169168 "secret")
     at radius.c:2386
#3  0x080539d4 in client_socket_decode (listener=0x8174960, request=0x8178898) at listen.c:697
#4  0x0805faab in request_pre_handler (request=0x8178898) at event.c:995
#5  0x08061e2d in radius_handle_request (request=0x8178898, fun=0x804d2b0 <rad_accounting>)
     at event.c:2701
#6  0x0805ad21 in thread_pool_addrequest (request=0xffffffff, fun=0x8179f04) at threads.c:860
#7  0x08061510 in event_socket_handler (xel=0x8174f98, fd=13, ctx=0x8179f04) at event.c:2340
#8  0x40030c23 in fr_event_loop (el=0x8174f98) at event.c:412
#9  0x08061e03 in radius_event_process () at event.c:2696
#10 0x0805968f in main (argc=2, argv=0x2) at radiusd.c:381
#11 0x4022fd06 in __libc_start_main () from /lib/libc.so.6

I *think* that the problem might be the length=0 in the call to 
rad_attr2vp(). If that is the case then something like:

if (length = 0) return NULL;

at line 1928 or so of radius.c might resolve the problem. Before I go 
ahead and make that addition, am I on the right page or way off in 
left field on this?

Michael

----------------------------------------------------------------------
Michael J. Hartwick, VE3SLQ                      hartwick at hartwick.com
Hartwick Communications Consulting                      (519) 396-7719
Kincardine, ON, CA                             http://www.hartwick.com
----------------------------------------------------------------------



More information about the Freeradius-Users mailing list